[Bro] Intel framework not working as expected

James Lay jlay at slave-tothe-box.net
Wed Jan 17 11:46:32 PST 2018


So I have a current working intel framework via this:

http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

this works great and the intel feeds fire off in intel.log.  With a
couple minor tweaks, I modded the info here to make a newdomain.intel
file: 

https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/


>From my newdomain.intel (obfuscation added): 
#fields indicator indicator_type meta.source meta.url meta.do_notice
meta.if_in
00009117[.]com Intel::DOMAIN newdomains - F -
0000dw[.]com Intel::DOMAIN newdomains - F -
0008[.]red Intel::DOMAIN newdomains - F - 

And my intel lines in local.bro: 
redef Intel::read_files += {
"/opt/bro/share/bro/site/alienvault.intel",
"/opt/bro/share/bro/site/meyhemic.intel",
"/opt/bro/share/bro/site/malhosts.intel",
"/opt/bro/share/bro/site/malips.intel",
"/opt/bro/share/bro/site/newdomain.intel"
}; 

<pause>..... 

As I'm typing this I think I might have the answer, but now I have
another question :D  If a do a dns request for 0008[.]red I get: 

"2018-01-17T17:01:25+0000        Cn235WxlXKegS2qn4       x.x.x.x  61616 
 x.x.x.x    53      udp     4327    0.260124        000movies[.]com   1 
     C_INTERNET      1       A       0       NOERROR F       F       T  
    T       0       x.x.x.x 14400.000000    F" 

but nothing in the intel.log.  So...it appears that the intel framework
is using just active connections?  Which makes sense, but now, how would
I get bro to, in layman's terms: "bounce dns requests off of the intel
lists as well"?  Please let me know if I haven't explained this well
enough..thank you. 

James 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180117/fcaa8de0/attachment.html 


More information about the Bro mailing list